Re: Pervasive Campus Wireless

["Avdagic, Indir" <indir_avdagic () WSU EDU>]

We are using Cisco Wireless Control (WCS) to support guest wireless access.  Cisco recommends the use of a controller 
dedicated to guest traffic. This controller is known as the guest anchor controller. 

The selection of the guest anchor controller is a function of the amount of guest traffic as defined by the number of 
active guest client sessions, or as defined by the uplink interface

capacity on the controller, or both.  A maximum of 2048 guest usernames and passwords can be stored on each 
controller_s database. Therefore, if the total number of active guest credentials is in excess of this number,

more than one controller will be needed.  Because of this limitation it is highly recommended usage of external RADIUS 
server.  Also,  we use Cisco Wireless Control (WCS) for centrally creation and management of guest accounts. 

 A WCS administrator can establish a limited−privilege administrative account within WCS that permits lobby ambassador 
access for the purpose of creating guest credentials.

 In WCS, the person with a lobby ambassador account is able to create, assign, monitor, and delete guest credentials 
for the controller serving as a guest anchor controller.

The lobby ambassador can enter the guest username (or user ID) and password, or the credentials can be auto-generated. 
There is also a global configuration parameter that enables

the use of one username and password for all guests, or a unique username and password for each guest.

If the WCS is not deployed, a WCS administrator can establish a lobby ambassador account on the guest anchor 
controller. 

A person who logs into the guest anchor controller using the lobby ambassador account will have access only to guest 
user management functions.

 

I hope this helps.

 

 

____________________________________________  
Indir Avdagic, CISSP, ACSA, TICSA

Network Security Engineer

Washington State University  

indir_avdagic () wsu edu

Phone: (509) 335-3279
http://infotech.wsu.edu/security/  

 

          

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eme Ejike
Sent: Friday, January 23, 2009 10:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pervasive Campus Wireless

 

Since the focus of providing access to the wireless system is  geared primarily for visiting guest. We are of the 
stance that some sort of sponsorship is applicable. Our current approach was developed as a use case. Additionally, 
accessibility was of the utmost concern. Don't forget the sponsorship request is an online/web service that could be 
potentially available to all associated university community members if the need be. The system is managed on our 
enterprise IDM  segment. This decision is determined by management. By providing some form of accountability not only 
do we cover mandated state regulations but we also leverage our resources in detecting and determining sources of 
threats or vulnerability to our network environment.

Eme Ejike
Old Dominion University
Systems Security Officer
4700 Elkhorn Ave - Room 4300
Norfolk, Va, 23529 USA
Phone: (757) 683-6755
eejike () odu edu 

 
The information in this email and any attachments may be confidential and privileged. Access to this email by anyone 
other than the intended addressee is unauthorized. If you are not the intended recipient (or the employee or agent 
responsible for delivering this information to the intended recipient) please notify the sender by reply email and 
immediately delete this email and any copies from your computer and/or storage system. The sender does not authorize 
the use, distribution, disclosure or reproduction of this email (or any part of its contents) by anyone other than the 
intended recipient(s).

 

No representation is made that this email and any attachments are free of viruses. Virus scanning is recommended and is 
the responsibility of the recipient.

Dick Jacobson wrote: 

On Thu, 22 Jan 2009, Jerry Sell wrote:
 
I have seen several responses to this and have a couple questions.
 
First, if your guest is "sponsored" and "authenticated" is this really an 
"open" system ?  I interpret "open" as unauthenticated and providing the 
service (intentionally or not) to the community at large (including the 
institutional community).
 
With that in mind, and with the legislative environment of the last 
several years, is there not a great risk in anonymously providing access 
to the larger community ?
 
  

        My superiors are interested in gathering some data concerning what other universities are providing open access 
guest wireless services on their campuses.  It would be helpful to us if we could enlist your input on the following 
questions.
         
         
         
        1. Does your university provide an open access Wifi system for guests on campus?
         
         
         
        2. If so, does it have encryption of any kind setup?
         
         
         
        3.  Do you use a third-party subscription service such as Boingo, or do you have your own subscription service, 
or no subscription required?
         
         
         
        4. If you don't require any authentication/subscription, how does your University feel about the risk of 
providing an anonymous platform that can be used for illegal activity?  Have they accepted the risk?  Do they not feel 
the risk is great enough to mitigate?
         
         
         
        Many thanks in advance to those who respond.
         
        Thank you,
         
        Jerry Sell, CISSP
        Security Analyst
        Brigham Young University
        (801)422-2730
        Jerry_Sell () byu edu<mailto:Jerry_Sell () byu edu> <mailto:Jerry_Sell () byu edu> 
         
         
         
            

 
 
-----------------------------------------------------------------------
Dick Jacobson                  e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer       office : STTC 219
               phone  : 701-231-6280 <NEW phone number>
-----------------------------------------------------------------------